If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I think the best way for the future is to run p0f at certain places on the network to capture live machines passively. But that requires pre-planning and precludes consultants and contractors coming in and doing a thorough and accurate auto-discovery of a network.

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

If you are on the same network you can use the arp scan feature and firewall or not, it'll respond... (-sP -PR)

If not, rather than not sending a ping (-P0), you can use a common list of ports that you would expect to be open/closed and get a decent idea of whether or not the system is up or a firewall is filtering you out... (-PT 23,25,80,135,139,445 for example to do a TCP ping rather than ICMP, i.e., do a -sP -PT 23,25,80,135,139,445 ; which ports used depends heavily on your environment). The theory is explained in the documents for nmap, so I, like others, would highly recommend you read them closely.

There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

I've been using nmap for some time to test LANs, including firewalls. A stealth scan (-sS) will often betray hosts that other options won't find. Particularly Windows XP firewalls. Stealth scans still don't find Windows hosts behind a Norton firewall though. I posted some results on this just last week.

Re: Finding hosts on subnet using nmap.

Originally posted here by rogueactivex When I'm at a client's network sometimes I have the task of trying to find active hosts within the network. Lately I've been using the ping sweep command for NMAP and saving my results to a file, like so:

nmap -oN activehosts.txt -vv -sP 192.168.0.0/24

However the thought occurred to me "what if a client is blocking ICMP pings"? That might be the case, at which point that client PC would be "hidden" from my sweep. So what's the best most efficient way to hunt for active clients on a network, preferably using nmap?

How large can these networks typicall get?
What type of information needs to be known about the clients?
How long do you realistically wish to hunt for clients?
Does it need to be cmd line based?

On small networks, I typically use this LAN Scanner . Famatech makes a few free utilities that make small tasks extremely simple.